On 01/09/2013 04:09 PM, Peter Jones wrote:
It just occurred to me that this has zero chance of working because
an attacker can always take the already-signed boot path from the
F18 installer and use that to boot a modified F19 installation
image. We cannot retroactively add these checks to the F18
installation images (or F18 installations). We could theoretically
revoke the signatures on the F18 binaries, but this would not go
well with our users.
Sure; the intent here is to allow the images to validate the repos.
And this is a fine thing to do. We should probably change yum to
download the repomd.xml file over HTTPS from a centralized,
Fedora-managed server with certificate checking, and verify the hash
chain leading to the RPMs. This way, users won't install outdated
packages from a bad mirror. (This applies post-installation as well.)
I do agree that this is important work. As far as I can tell, it's
completely independent of Secure Boot, so it has a chance of working well.
As it stands you still need to verify that your netinst.iso (or
whatever) boot image is what you mean to be using. There are ways we
can address that, but it's not the problem I'm trying to solve with this
particular feature.
Fair enough. A special client which downloads the actual installation
media from the mirror network and the verification hash from a project
server over HTTPS shouldn't be too hard to write and could provide
out-of-band verification. (This could be a Firefox add-on, for example,
to provide users with a trust root.)
--
Florian Weimer / Red Hat Product Security Team
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
